bruteforce

Hi,

I’m seeing this in the domlogs:

88.208.194.90 - - [15/Dec/2015:08:50:55 +0000] “POST /index.php/admin HTTP/1.1” 200 3613 “-” “-”
88.208.194.90 - - [15/Dec/2015:08:50:56 +0000] “GET /index.php/admin HTTP/1.1” 200 3499 “-” “-”
88.208.194.90 - - [15/Dec/2015:08:50:56 +0000] “POST /index.php/admin HTTP/1.1” 200 3613 “-” “-”
88.208.194.90 - - [15/Dec/2015:08:50:56 +0000] “GET /index.php/admin HTTP/1.1” 200 3499 “-” “-”
88.208.194.90 - - [15/Dec/2015:08:50:56 +0000] “POST /index.php/admin HTTP/1.1” 200 3613 “-” “-”
88.208.194.90 - - [15/Dec/2015:08:50:56 +0000] “GET /index.php/admin HTTP/1.1” 200 3499 “-” “-”

I enabled bruteforce protection and added /index.php/admin to the “login pages”. It is not triggering mod_security. Anything I can try?

I’m using the following:

Litespeed 5.0.9 (also happened on 5.0.5)
Comodo free rules 1.56
CWAF plugin 2.14
cPanel 11.52.1

Thanks

Which CMS do you have there?
Can you catch that POST request and put here?

It is a Magento CMS

The post request is (changed our IP to x.x.x.x and target website to www.x.com):

T 2015/12/15 10:15:57.771928 88.208.194.90:36165 → x.x.x.x:80 [AP]
POST /index.php/admin HTTP/1.0…Host: www.x.com…Cookie: adminhtml=9o2lgd961ared4fo8h5vjed351…Content-Type: application/x-www-form-urlencoded…Cont
ent-Length: 65…form_key=&login[username]=Administrator&login[password]=pitts#123

Hi - is there any further information you need to assist with this?

To protect Magento from brute-force attacks you need to add its login page in file
/<path_to_cwaf>/cwaf/etc/userdata/userdata_login_pages and restart web-server.

If you use our plugin with some WHCMS (for example cPanel), it could be done with Comodo WAF - Userdata - Login Pages - Save.

Please, try to add index.php/admin/ to /userdata_login_pages

Yes, index.php/admin/ is in my userdata_login_pages and httpd restarted as per my original post ;D